Re: config_back_db_open and "cannot assess the validity of the ACL scope" in openldap-devel

[Pierangelo Masarati <ando@sys-net.it>]

Gavin Henry wrote:
> Hi all,
>
> Just playing in openldap-devel, with the next step being mirrormode, and
> get this warning when running slapd with debug on:
>
>     config_back_db_open: line 0: warning: cannot assess the validity of
> the ACL scope within backend naming context
>
> So is this a seperate assessment outwith the normal syntax one?
>
> I don't quite understand the warning.
>   
That's quite informative, and issued at a very verbose log level.  
Basically, the ACL parsing code checks whether a rule will actually be 
used with the scope it can potentially apply to.  For example, if you 
place a rule

access to dn.subtree="" by * read

within a database with suffix "dc=example,dc=com", the rule might 
potentially apply to any DN, but since it's placed within a database 
with a non-empty suffix, it will only apply to 
dn.subtree="dc=example,dc=com".  So the ACL designer might be fooled 
into believing that it will apply to any entry while it won't.  This 
doesn't mean that the ACL is wrong: it will do what's intended for; 
that's why the warning is informative.  In some cases, the ACL parsing 
code cannot determine the scope of a rule (for example, when regular 
expressions are involved); this causes the specific warning you see.  If 
you understood the ACL syntax and you believe your ACLs are correct, you 
can safely ignore that warning.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------